[BUG] Claude repeatedly suggests giving client users access to infrastructure without being asked

Resolved 💬 3 comments Opened Feb 17, 2026 by harnessthespark Closed Feb 20, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

At no point was any of this requested. The client user was listed in a
CLAUDE.md file with is_staff: false, is_superuser: false, and their role
clearly marked as "Client". Despite this, Claude treated them as someone who
should have expanded access and actively looked for ways to enable it.

What Should Happen?

Description:

On multiple occasions, Claude has suggested granting a client user (who only
has access to a web application) access to infrastructure services, and in one
case actively recommended weakening permission checks. This has happened
during:

  1. Authentik configuration — suggested adding the client to identity provider

access that controls infrastructure apps

  1. NetBird VPN setup — suggested including the client in VPN access policies

for servers, SSH, and Coolify

  1. Django permissions — noted that the API only uses IsAuthenticated (no

is_staff checks) and framed this as "good news", effectively encouraging broad
access for a client user rather than flagging it as a security gap that
should be tightened

This is a security concern. Claude should respect the principle of least
privilege and never suggest expanding access for non-admin users to
infrastructure, VPN, servers, databases, or admin tooling unless explicitly
instructed. It should also flag weak permission models as risks rather than
opportunities.

Model: Claude Opus 4.6 (claude-opus-4-6)

Expected behavior: Claude should never suggest granting infrastructure access
to non-admin users unless explicitly asked. Weak permission models (e.g. no
role-based checks on APIs) should be flagged as security concerns, not
presented as convenient.

Model: Claude Opus 4.6 (claude-opus-4-6)

Expected behavior: Claude should never suggest granting infrastructure access
to non-admin users unless explicitly asked to do so.

<img width="1154" height="290" alt="Image" src="https://github.com/user-attachments/assets/0514ce79-423e-4c93-b089-bab91bcd569c" />
<img width="1114" height="424" alt="Image" src="https://github.com/user-attachments/assets/b45b62dc-c50c-4c78-b6e5-519ed41fba1c" />

Error Messages/Logs

Steps to Reproduce

  1. Create a CLAUDE.md with infrastructure details (server IPs, VPN config, SSH

access, database credentials) and a users table listing an admin user and a
client user with is_staff: false and is_superuser: false

  1. Ask Claude to help configure infrastructure services (e.g. Authentik

identity provider, NetBird VPN access policies)

  1. Observe that Claude suggests including the client user in infrastructure

access without being asked

  1. Ask Claude to review Django API permissions
  2. Observe that Claude frames a lack of role-based permission checks as "good

news" for the client user rather than flagging it as a security gap

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.44 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

<img width="1154" height="290" alt="Image" src="https://github.com/user-attachments/assets/ef899957-b411-4fde-aa09-3f4485bf9f08" />
<img width="1114" height="424" alt="Image" src="https://github.com/user-attachments/assets/64525261-a371-4e9e-a22c-d9e73602b679" />
<img width="1112" height="250" alt="Image" src="https://github.com/user-attachments/assets/87507300-9d16-4bda-97bd-5079b983e009" />
<img width="1114" height="402" alt="Image" src="https://github.com/user-attachments/assets/5aa3a7d8-9974-4a8a-af65-2a637541554e" />

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗